The subject matter of the present application is related to “Method and System for Providing Automated Updating and Upgrading of Antivirus Applications Using a Computer Network” (application Ser. No. 09/001,611), the contents of which are hereby incorporated by reference, assigned to the assignee of the present invention.
Intrusion attacks on computer networks are a major problems in today's networked computing environment. An intrusion attack occurs when an intruder either breaches a network or temporarily disables it. As far back as 1992, the Federal Bureau of Investigation had determined that computer crime is the most expensive form of commercial crime—with an average cost of $450,000 per theft. Estimates of the total dollar figure for computer theft are as high as $5 billion per year.
Intrusion attacks are generally given a name, typically reflecting the characteristics of the attack. For example, a “Ping of Death” intrusion attack occurs when an intruder sends abnormally large ping packets in an attempt to disable a remote system. A “ping” checks whether a remote host is active on a network by sending it packets. The remote host then echos back those packets to the user's machine. If the remote host does not echo back the packets, the remote host is considered down and the ping sender is so notified. If a large number of ping packets are sent to a remote host at one time, this can cause an abrupt failure of the core part of the operating system, potentially causing data to be lost due to improper system shutdown.
Another type of attack is called the “SYN Flood” attack. With this type of intrusion attack, an intruder attempts to establish a connection with a service; however, the client does not allow the connection to be completed. The service continues to send confirmations to the client in an attempt to complete the connection. The connection queues fill up, and service is denied to legitimate users.
A variety of programs have been developed to detect and intercept intrusion attacks on networks. By monitoring the traffic on a network, or the traffic at the gateway of a local area network, these “monitors” can alert a system administrator when a virus is detected. A monitor is typically implemented by an anti-intrusion software program on a server attached to the network. By server, what is meant is any type of computer on which the software program is loaded. This server, hereinafter referred to as an “anti-intrusion monitor server,” examines packets that pass on the network and looks for characteristics of known attacks. When an anti-intrusion monitor server detects characteristics of a known intrusion attack, a system administrator is typically notified.
Other actions, while not strictly attacks, indicate malicious intent and often precede an attack. Examples include information gathering probes and connection attempts. An anti-intrusion monitor server will also watch for this type of malicious activity, often a precursor to an attack.
In order to detect intrusion attacks, the anti-intrusion software of a monitor server typically includes an intrusion attack scanning engine with one or more files known as “attack signature files,” which contain information pertaining to known types of intrusion attacks. This information includes both the type of protocol the attack occurs in (e.g., Transmission Control Protocol/Internet Protocol [TCP/IP] or File Transfer Protocol [FTP]) and specific packet information which is indicative of an attack. Importantly, the anti-intrusion software is only able to detect those types of intrusion attacks for which it has a corresponding attack signature files. If a new type of intrusion attack is developed, the anti-intrusion monitor server will be unable to detect it.
By way of example, and not by way of limitation, a leading anti-intrusion attack program and its accompanying attack profiles will be described. It is emphasized that this example is presented only for clarity of presentation, and does not limit the scope or context of the preferred embodiments to certain software packages, software types, or operating system types. Indeed, the preferred embodiments are advantageously applied to many different types of anti-intrusion software programs on many different types of operating systems and computer configurations.
A leading anti-intrusion application, produced by Network Associates, is called CyberCop Network. CyberCop Network is a real-time intrusion detection system, performing round-the-clock surveillance of network traffic. Acting as a hi-tech burglar alarm, CyberCop Network helps protect a network from attacks—both internal and external—by sending out alerts when the security of the network is breached by unauthorized intruders. CyberCop Network is a software application offered in a variety of outlets and forms. It is accompanied by documentation, including the “CyberCop Network for Windows NT v2.0 User's Guide,” issued October 1998. The contents of these documents are hereby incorporated by reference into the present application.
In one form, CyberCop Network is adapted to run on one or several Windows NT-based servers connected to a network. For optimum security, each CyberCop Network server should be installed on a dedicated machine before any point of entry to the network or network segments. This would include at the same network segment as the web server, at the Ethernet interface just inside the firewall, or between the Internet router and the internal machines.
If CyberCop Network does run on multiple servers, all servers running CyberCop Network can be configured at a single monitor server running CyberCop Network Configuration Manager, a configuration tool. CyberCop Network Configuration Manager can remotely configure all networked servers running a local copy of CyberCop Network.
CyberCop Network Configuration Manager uses Windows' “drag-and-drop” feature to create and distribute monitoring profiles for attacks. A “profile” includes the following three attributes: 1) one or more attack signatures with detection thresholds; 2) one or more monitoring schedules; and 3) one or more attack notification methods. Profiles are distributed from the Configuration Manager to the networked servers directing them to perform remote monitoring functions using their local copies of CyberCop Network.
To create a monitoring profile, a user first chooses which networked server (or servers) the profile will operate on, and selects that server. The user then has the choice of which attack signature files to include in the profile. The “master attack list” includes approximately 180 known attacks, sorted into protocol attack groups by the protocol they occur in, e.g. TCP/IP, FTP, or WWW. Each attack signature file also includes a corresponding description of the attack that the user can read. The user can import the entire master attack list, an entire protocol attack group, or individual attack signatures that the user can pick and choose. Next, the user must set the threshold of detection sensitivity by specifying the number of times within a specified number of seconds/minutes that an attack must occur before an alert is generated. CyberCop Network will perform specific operations when an alert is generated, in accordance with the Alert Manager's settings as configured by the user, explained below. Detection sensitivity can be set for each individual attack signature or collectively for an entire attack group.
The user has the option of setting a monitoring schedule for each attack signature or group. The monitoring schedule allows the user to set the time period for each day of a week that CyberCop Network will monitor for the attack signature or group. Scheduling allows a user to minimize the inconvenience caused by false alarms. For example, a user may want to turn off detection during periods of peak traffic, and turn on detection after hours. If a monitoring schedule isn't set, the default schedule enables detection at all times.
CyberCop Network logs events, i.e. suspected attacks or malicious activities, based on analysis of network traffic, and then sends alerts based on those events. The user can set “exclusions” for each individual attack signature or collectively for an entire attack group, which allow the user to filter out events that would otherwise issue as an alert. The user can set exclusions based on traffic from specific sources or to specific destinations. For example, a user could set one node on a network to be monitored for ping of death attacks, and then exclude the monitoring of all other nodes for this type of intrusion attack.
To distribute profiles amongst multiple servers, a user need merely drag and drop the profile to all networked servers which the user wishes to have monitor the specific settings of the profile.
Finally, the user must configure the “Alert Manager.” Alerts can be forwarded to other networked computers running CyberCop Network so as to consolidate the alert messages on a designated server. The user may specify up to nine operations CyberCop Network will perform when it generates an alert, including: 1) sending an alert as a network message; 2) sending an alert as an STMP e-mail message; 3) sending an alert to a pager; 4) sending an alert to a network printer; 5) sending an alert as an SNMP network message; 6) sending an alert to a DMI console; 7) launching a program on alert; 8) sending an alert as an audible .WAV file; or 9) logging the alerts to the Windows NT Application Event Log.
Users can drag and drop, or cut and paste, elements from any profile to any other profile to reorganize or populate a profile.
A limitation of CyberCop Network is that the user is limited to the 180 or so attack signature files supplied with the software to assemble monitoring profiles. These attack signature files are based on known attacks only. However, as is true with computer viruses, the types of attacks are always evolving. “Crackers,” or hackers with malicious intent, are limited only by their creativity as personal computers become more and more powerful and networks become more and more prevalent.
It has been found that as soon as a new type of attack is discovered, knowledge of its existence is quickly disseminated over the Internet at security clearinghouse web sites, such as “http://www.rootshell.com.” Anti-intrusion software manufacturers may also monitor the flow of information of newly discovered attacks, and can quickly design attack signature files to detect and therefore prevent new types of attacks.
While the creation of an attack signature file for a newly discovered attack is helpful, it is necessary that it reach the CyberCop Network user. Updates are commonly sent out on a physical data medium such as a CD-ROM or floppy disk to customers. Alternatively, users can access Network Associates' website at “http://www.nai.com” and download updated attack signature files. However, in the modern environment of the overburdened system administrator who is typically kept busy addressing present network failures, obtaining and installing merely preventative attack signature files may take a low priority. The result of an outdated network security system may have no immediate impact, but if a “cracker” gets through on an intrusion attack, the results can be disproportionately disastrous.
FIG. 1 shows the prior art method of updating attack pattern information, which includes attack signature files, on a network running anti-intrusion software. FIG. 1 shows a typical corporate local area network 100 comprising a network server 102, a communications network 104 such as an Ethernet network, a plurality of user nodes 106A-C and an Internet gateway server 108 connected to the Internet 110 through Internet connection 116. As known in the art, Internet connection 116 can be through an ISP (Internet Service Provider) in the form of a SLIP (Serial Line Interface Protocol) or PPP (Point to Point Protocol) connection, or through a dedicated connection to the Internet 110.
Running on network server 102 is anti-intrusion software (not shown) which monitors the traffic on the communications network 104 for attacks and other malicious activities. This combination of network server and anti-intrusion software is herein referred to as an “anti-intrusion monitor server.” Typically, a dedicated system administrator 112 is responsible for ensuring that the anti-intrusion software stays updated. To do so, he can obtain updated or modified attack pattern information from the anti-intrusion software manufacturer's FTP or World Wide Web site 114. However, this request must be made manually and with knowledge of the current attack signature files loaded on anti-intrusion monitor server 102. Alternatively, the anti-intrusion software manufacturer may send out updated or modified attack pattern information via CD-ROM or floppy disk 118. The system administrator 112 then manually installs the updated information on anti-intrusion monitor server 102. In either case, the attack pattern information is updated only as often as the system administrator has time to collect and install the updates, a practice which may be costly in light of the ongoing, non-stop efforts of malicious crackers.
An additional level of complexity is added if there are multiple anti-intrusion monitor servers which must be updated individually (i.e. there is no remote configuration functionality as with CyberCop Network). In that case, in attempting to obtain the appropriate updated attack pattern information, the system administrator would be required to: 1) maintain an awareness of all attack pattern information on each server; 2) maintain an awareness of the hardware platform (e.g. IBM, Macintosh, Sun, Silicon Graphics) and software platform (e.g. Windows NT, Windows 95, Windows 3.1, Macintosh OS, UNIX) of each server to ensure acquisition of the appropriate information; and 3) retrieve and install the latest versions of updates for each server as soon as those updates become available. The odds of accurate and efficient anti-intrusion updating are reduced even further.
Accordingly, it would be desirable to provide a computer program product and method for providing the most up-to-date intrusion attack monitoring and detection via updated attack signature files for protecting against newer attacks.
It would be further desirable to provide a computer program product and method for the anti-intrusion software updating to be simple and automatic, so that less system administrator intervention is necessary.
It would be even further desirable to provide a computer program product and method of anti-intrusion software update distribution which allows a higher frequency of update releases from anti-intrusion software manufacturers for the most up-to-date, or even up-to-the-hour, anti-intrusion attack protection available.
It would be even further desirable to provide a computer program product and method where attack signature files are automatically distributed to a gateway monitor server, which can then distribute the updated attack signature files to other networked computers either automatically or in accordance with user-set monitoring profiles.